LDAP VPN Auth yet not in group?
freeradius at corwyn.net
freeradius at corwyn.net
Tue Aug 24 23:43:21 CEST 2010
At 04:48 PM 8/24/2010, Rick Steeves wrote:
>I authenticate VPN users where the VPN Server authenticates against
>a LDAP server and FreeRadius 2.1.8 on CentOS. That generally, works
>fine. I'm using a user account to authenticate the radius server
>against AD for the queries.
>
>What's odd is tho the other user accounts work, I can't authenticate
>with that actual user account (even though it's in the same Security
>group). Multiple other users in the security group VPN_Users work.
I tracked down where this is different.
In huntgroups I have:
VPN_Huntgroup NAS-IP-Address == x.x.x.x
In users I have:
DEFAULT Huntgroup-Name == VPN_Huntgroup, Ldap-Group == "VPN_Users"
Reply-Message := "Authorized Users Only"
For a normal user, I see:
Tue Aug 24 17:02:32 2010 : Info: ++- if (Huntgroup-Name ==
"VPN_Huntgroup") returns ok
Tue Aug 24 17:02:32 2010 : Info: Found Auth-Type = MSCHAP
Tue Aug 24 17:02:32 2010 : Info: +- entering group MS-CHAP {...}
But if the LDAP service account connects with the VPN_Huntgroup set, I see:
Tue Aug 24 16:41:57 2010 : Info: ++- if (Huntgroup-Name ==
"VPN_Huntgroup") returns reject
Tue Aug 24 16:41:57 2010 : Auth: Invalid user: [_sonicwall] (from
client VPN_SOHO port 0)
If I remove
VPN_Huntgroup NAS-IP-Address == x.x.x.x
I
from huntgroups, the normal accounts still work and log the same, but
the LDAP service account now looks like the normal users account in
the logs, and defaults to MSCHAP and then everything is ok.
As always, no idea why. Any insights appreciated for why that account
behaves differently.
Thx.
Rick
More information about the Freeradius-Users
mailing list